W3C home > Mailing lists > Public > public-identity@w3.org > October 2011

Re: future of Identity on the Web

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 25 Oct 2011 21:51:58 +0200
Cc: "Dan Brickley" <danbri@danbri.org>, public-identity@w3.org, "Ben Adida" <ben@adida.net>, "Tim Berners-Lee" <timbl@w3.org>
Message-Id: <E59B4B62-6B40-4FDD-B702-7439CCFC8C98@bblfish.net>
To: "Harry Halpin" <hhalpin@w3.org>

On 25 Oct 2011, at 21:27, Harry Halpin wrote:

> While I of course believe in open standards and privacy, and thus
> personally believe there are some good ideas into looking at a
> Web-of-trust model as opposed to CAs for certs in WebID (and thus am
> serious about a second workshop focussed on certificates), WebID was not
> viewed as very convincing by the vast majority of attendees at the
> workshop and there were serious security concerns raised by Brad Hill.

you keep saying that Harry, but I don't think I know of these security concerns. Are these concerns that can be aired in the open, or are they the type of security concerns that cannot be discussed? If they can be discussed then I propose a todo list: write each one of them out one by one in a way that can be falsified in a Popperian manner.  We can then work out what these issues are, and see how we can respond to them.

Criticism of the WebID protocol need to be laid out carefully given that it is based on the widely deployed TLS standard, which has had a huge amount of review. If WebID risks falling prey to criticism, then doing javascript APIs and certificate signing in JavaScript, is bound to lead to way way bigger issues, and is therefore going to have to undergo massive review.


> As WebID is still emerging work, I suggest strongly that it stay in another
> XG, CG, or WG and that we co-ordinate as needed as WebID matures.

I think we should coordinate now as these evolve. This is a consequence of your calling the other group the Web Identity group. 

> I do
> think that the Javascript APIs that this WG is aiming at could benefit
> WebID, as well as many other identity efforts like OpenID Connect and
> BrowserID.

Very possibly: but then perhaps call the group the Crypto API WG.

As for the profile documents if W3C process were to lead to a widely adopted profile format, that would of course also be welcome to WebID and beyond in fact. It is quite easy to see how such a profile could even make certificate dialog boxes a lot more friendly: by for example using the info in the profile to fill the certificate selection box, with a photo or such information... That won't of course affect the WebID protocol, but it clearly would make the end user experience better.

> In fact, the only identity effort that was viewed as a widescale deployment success by our membership at the workshop was SAML.

Perhaps there is a way of doing SAML with WebID. I think there was work in Manchester along those lines.

Henry

Social Web Architect
http://bblfish.net/
Received on Tuesday, 25 October 2011 19:52:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 October 2011 19:52:32 GMT